EUROPEAN COMMISSION

Brussels, 15.9.2015

COM(2015) 441 final

REPORT FROM THE COMMISSION TO THE EUROPEAN PARLIAMENT AND THE COUNCIL

Annual report to the Discharge Authority on internal audits carried out in 2014
(Article 99(5) of the Financial Regulation)

{SWD(2015) 170 final}

1.    Introduction    

2.    The IAS Mission: Independence, objectivity and accountability Objectives and scope of the Report    

3.    Overview of audit production    

3.1.    Implementation of the 2014 audit plan    

3.2.    Statistical data on IAS recommendations    

4.    Principal findings and recommendations    

4.1.    Horizontal engagements    

4.1.1.    Audit on efficiency and effectiveness of the planning stage of the selection process – Multi DG (EPSO, DG HR, DG CNECT, DG SANTE (ex-SANCO), DG TAXUD    

4.1.2.    Horizontal IT audit: Audit of management and supervision of outsourced IT services (contract management) – Multi DG (DG BUDG, DG DIGIT, DG HOME, OP, DG SANTE (ex-DG SANCO)    

4.1.3.    Audit on the administrative processes supporting the European Semester – Multi DG (SG, SJ, DG COMM, DG COMP, DG ECFIN, DG EMPL, DG MARKT, DG TAXUD)    

4.2.    Agriculture, Natural Resources and Health    

4.2.1.    Gap analysis review of 2014-2020 Regulations for the Common Agricultural Policy, Phase 1 (DG AGRI)    

4.3.    Cohesion    

4.3.1.    Gap Analysis Review of Regulation 2014-2020 for European Structural and Investment Funds (ESI funds) Phase 1 – Multi DG (DG AGRI, DG EMPL, DG MARE, DG REGIO)    

4.3.2.    Gap Analysis of new legislation/design of 2014-2020 Programming Period of European Structural and Investment Funds (ESI funds) Phase 2 – Multi DG (DG EMPL, DG REGIO)    

4.3.3.    Audit on preparations for use of Financial Instruments in DG EMPL 2014-2020 (DG EMPL) and Audit on preparations for use of Financial Instruments in DG REGIO 2014-2020 (DG REGIO)    

4.3.4.    Limited Review of the calculation and the underlying methodology of DG REGIO's residual error rates for the 2013 Reporting Year (DG REGIO)    

4.4.    Research, energy and transport    

4.4.1.    Gap Analysis Review of the legislation regarding Horizon 2020 – Multi DG (DG CNECT, DG ENER, DG MOVE, DG RTD)    

4.4.2.    Audit on the implementation of FP7 control systems (including Supervision of External Bodies) in DG CNECT (DG CNECT)    

4.4.3.    Audit on the implementation of FP7 control systems (including Supervision of External Bodies) in DG RTD (DG RTD)    

4.4.4.    Audit on the implementation of FP7 control systems in ERCEA (ERCEA)    

4.4.5.    Audit on procurement management in DG JRC (DG JRC)    

4.4.6.    Limited Review of the calculation and the underlying methodology of DG CNECT's residual error rate for the 2013 reporting year (DG CNECT)    

4.5.    Economic and financial affairs    

4.5.1.    Audit on risk management and planning processes in DG ECFIN in the New Economic Governance context (DG ECFIN)    

4.5.2.    Audit on DG MARKT's cooperation with the three Supervisory Bodies on Financial Services (DG MARKT)    

4.5.3.    Audit on performance measurement system in DG TAXUD Customs Activities (DG TAXUD)    

4.6.    External Aid, development and enlargement    

4.6.1.    Audit on contribution agreements with UN bodies and other International Organisations (DG DEVCO)    

4.6.2.    Audit on contribution agreements with international organisations (DG ECHO)    

4.6.3.    Audit on the assurance building process in EU Delegations (DG DEVCO)    

4.6.4.    Audit on budget support in DG DEVCO    

4.6.5.    Audit on the control strategy in FPI (FPI)    

4.7.    IT audits    

4.7.1.    Joint IAS/AGRI IAC audit on the management of local IT in DG AGRI    

4.7.2.    Audit on IT governance in DG BUDG    

4.7.3.    Audit on the management of logical access to systems (ECAS/LDAP/windows) in DG DIGIT    

4.7.4.    Audit on the management of IT projects in DG EAC (E4ALink and EVE)    

4.7.5.    Joint IAS/IAC audit on the management of local IT in DG MARE    

5.    Consultation with the Commission's Financial Irregularities Panel    

6.    Conclusions    

7.    List of acronyms    

1.Introduction

This report is to inform the Discharge Authority of the work carried out by the Commission’s Internal Audit Service (IAS), as required by Article 99(5) of the Financial Regulation. It is based on the report drawn up by the Commission’s Internal Auditor under Article 99(3) of the Regulation, regarding IAS audit- and consulting reports completed in 2014 1 on Commission Directorates-General (DGs), Services and Executive Agencies 2 . In line with its legal base it contains a summary of the number and type of internal audits carried out, the recommendations and the action taken on those recommendations 3 .

2.The IAS Mission: Independence, objectivity and accountability Objectives and scope of the Report

The IAS's mission is to contribute to sound management in the European Commission by auditing internal management and control systems to assess their effectiveness with a view to achieving on-going improvements.

The IAS's independence is enshrined in the Financial Regulation 4 and its Mission Charter as adopted by the Commission. The IAS reports on all of its audits to the Audit Progress Committee (APC) 5 .

The IAS performs its work in accordance with the Financial Regulation and the International Standards for the Professional Practice of Internal Auditing and the Code of Ethics of the Institute of Internal Auditors.

The IAS does not audit Member States’ systems of control over the Commission’s funds. Such audits, which reach down to the level of individual beneficiaries, are carried out by Member States’ internal auditors, national Audit Authorities, other individual Commission DGs and the European Court of Auditors (ECA). The IAS does, however, audit measures taken by the Commission services to supervise and audit bodies in Member States, and other bodies which are responsible for disbursing EU funds, such as the United Nations. As provided for in the Financial Regulation, the IAS can carry out these duties on the spot, including in the Member States.

3.Overview of audit production

3.1.Implementation of the 2014 audit plan

By the cut-off date of 31 January 2015, the implementation of the 2014 audit plan reached its target of 100% of planned engagements for audits in the Commission, Services and Executive Agencies 6 .

The IAS completed 105 reports (compared to 87 in 2013 and 89 in 2012) including 31 audits, 67 follow-ups, 5 limited reviews, one dedicated IT risk assessment and one management letter.

3.2.Statistical data on IAS recommendations

In 2014, the IAS issued 127 new recommendations (of which 50 very important and 77 important). Two recommendations rated 'important' were not accepted by management 7 and another two recommendations rated 'very important' only partially 8 . Action plans for all accepted recommendations were assessed as satisfactory by the IAS.

Auditees reported that 78 % of accepted recommendations issued between 2010 and 2014 were implemented by the start of 2015. Out of all recommendations rated 'very important' or 'critical' and issued in the period 2010-2014, 17 very important recommendations (2%) were overdue by more than six months. No critical recommendation is outstanding. The APC was regularly informed of very important recommendations overdue by more than six months and reminded services of their responsibility to implement, where necessary. The total number of accepted recommendations issued during 2010-2014 for which the IAS had conducted follow-up audits by the end of 2014, amounts to 640. The IAS follow-up work confirmed that recommendations were being implemented satisfactorily, contributing to the improvement of control systems in the audited services. The IAS closed 95% of the recommendations followed-up during this period.

The accompanying Staff Working Document provides more detailed information on acceptance rates for new recommendations and the implementation of recommendations relating to the period 2010-2014.

4.Principal findings and recommendations 9

4.1.Horizontal engagements

4.1.1.Audit on efficiency and effectiveness of the planning stage of the selection process – Multi DG (EPSO, DG HR, DG CNECT, DG SANTE (ex-SANCO), DG TAXUD

The overall objective of the audit was to assess the effectiveness and efficiency of the current planning stage of the selection process in replying to the EU Institutions' needs for new staff. The audit covered the planning processes in place in EPSO and in the European Commission.

The audit showed that the current planning stage of the selection process enables the scheduling of open competitions that, overall, meet the needs of the EU Institutions by providing them with a pool of candidates with the profiles required. In a timely manner EPSO actively cooperates with the EU Institutions in order to analyse and prioritise their requests and to plan open competitions. At the Commission level, the process in place enables the assessment of the need for laureates effectively.

The IAS has, however, issued two very important recommendations aiming at improving the efficiency and timeliness of the planning exercise by issuing guidelines, enhancing HRM tools used in the analysis of future recruitment needs and by removing those steps that have limited or no added value for the process of estimating the future needs for laureates.

To address these issues, EPSO should provide guidelines and instructions to the EU institutions to increase the coherence and comparability of their requests for laureates and should request sufficient details on the criteria used in order to correctly prioritise the requests and to align competition organisation with the Institutions' real needs and recruiting capacities. Better scheduling of the exercise should also reduce delays. At the level of the DGs, HRM tools should be used consistently and their output used in the analysis of future recruitment needs.

The audited services have established action plans which the IAS considers satisfactory to address the recommendations.

For more details, see section 2.1 of the SWD.

4.1.2.Horizontal IT audit: Audit of management and supervision of outsourced IT services (contract management) – Multi DG (DG BUDG, DG DIGIT, DG HOME, OP, DG SANTE (ex-DG SANCO)

A significant part of the IT expenditure of the Commission is devoted to the outsourcing of IT services to internal or external providers. In the Commission, the responsibilities are set up at the corporate and local level. At the corporate level DG DIGIT and DG BUDG provide guidance, instructions and templates, develop training and manage framework contracts. At the local (operational) level, DGs/Services are responsible for defining needs, implementing individual contracts and ensuring that the services are provided. In this context, the overall objective of the audit was to assess the effectiveness and efficiency of Commission's processes in place for the management and supervision of contracts for outsourced IT services with a view to ensuring that value for money is obtained.

The audit identified a mature process for managing and supervising outsourced IT services both at corporate and operational level. However, the IAS has identified very important issues in the areas of estimation of needs before establishing a framework contract, quality management of services outsourced on a time and means basis, and guidelines on the choice of type of outsourcing.

The process of needs assessment, before establishing a framework contract, should be standardised at central and operational level with the provision of instructions on how to define needs (in order to ensure coherence among calls for tender) and the implementation of a structured and traceable process at DG level. The consolidation of needs at Commission level should also be further enhanced to reflect more accurately the actual needs of the DGs/Services.

As regards the management of the individual contracts under the time & means working mode, DG DIGIT should ensure consistency among framework contracts in terms of level of the checks foreseen when selecting intra muros consultants, definition of KPIs, dissemination of information on contractors' performances to the end users in DGs/Services and alignment of the clauses for the application of liquidated damages based on the global service indicator. At operational level DGs/Services should improve the performance measurement system for their own framework contracts.

On the choice of type of outsourcing, DG DIGIT should issue guidance to help the operational DGs/Services choose the most appropriate working mode. At the operational level, the choice should be based on a cost-benefit analysis, taking into consideration the particular conditions and constraints of the outsourced services.

The IAS issued recommendations to DG DIGIT, DG SANTE and OP. The audited services have established action plans which the IAS considers satisfactory to address the recommendations.

For more details, see section 2.2 of the SWD.

4.1.3.Audit on the administrative processes supporting the European Semester – Multi DG (SG, SJ, DG COMM, DG COMP, DG ECFIN, DG EMPL, DG MARKT, DG TAXUD)

The European Semester (ES) has been designed so that the Member States (MS) discuss and coordinate their budgetary, macro-economic and structural reform plans with the EU institutions and other MS at specific times throughout the year. The overall objective of this performance audit was to address the following question: Are the administrative processes supporting the European Semester effective and efficient across the Commission? The audit assessed the adequacy of the internal control system regarding the production and communication of the various ES deliverables.

Overall, the audit showed that the administrative processes in the SG and the sampled DGs support the implementation of the European Semester across the Commission in an effective and efficient way.

For more details, see section 2.3 of the SWD.

4.1.Agriculture, Natural Resources and Health

(AGRI, CLIMA, ENV, MARE, SANTE, CHAFEA)

4.1.1.Gap analysis review of 2014-2020 Regulations for the Common Agricultural Policy, Phase 1 (DG AGRI)

The IAS carried out a gap analysis of the 2014-2020 Regulation for the Common Agricultural Policy (CAP). It comprised a high-level analysis of the adopted legislation for the CAP covering both pillars, i.e. mainly, but not exclusively, the European Agricultural Guarantee Fund (EAGF, pillar 1) and the European Agricultural Fund for Rural Development (EAFRD, pillar 2).

The main objective of this gap analysis was to highlight, for the most important areas, the additional and/or higher risks the Commission is facing as a result of the new legal framework for the CAP. The analysis mainly focused on the underlying content of the adopted legislation and the extent to which this reflects the Commission's original proposals/objective to have an appropriate balance between reducing the administrative burden, but at the same time maintaining the necessary level of control to exercise its supervisory responsibilities for the execution of the budget.

The regulations bring together a number of key improvements aimed at harmonising and simplifying the arrangements governing the Structural Funds and the two pillars of the Agriculture area. The IAS acknowledges the efforts made by the Commission's services during the negotiation phase to protect the Commission's interests in its supervisory role, particularly in the face of very strong external political pressures.

However, the final adopted legislation has resulted in significant additional and/or higher risks, which will need to be addressed as part of the DG AGRI’s preparations for the design and implementation of controls in the new period.

The main theme emerging is the sheer complexity and volume of the changes brought about by the legislative process. Across the board, but notably in key areas such as 'greening', a number of new measures were introduced, together with a large number of derogations, exceptions and supplementary rules which have offered greater flexibility to MS. The IAS notes the efforts made by DG AGRI to address these concerns, for example the preparation of vade-mecums and detailed guidelines to be adopted by the Commission. Nevertheless, the scope for interpretation on the part of MS has been significantly increased, which in turn can have an equally significantly impact on the error rate.

Given the nature of this engagement, only recommendations of a rather general nature were formulated and services were not requested to draw up action plans. Instead, the IAS will cover the main risks identified through focused audits on 'greening', the approval process of Rural Development Programmes and the suspension and interruption mechanism in 2015.

For more details, see section 3.1 of the SWD.

4.2.Cohesion

(REGIO, EMPL)

4.2.1.Gap Analysis Review of Regulation 2014-2020 for European Structural and Investment Funds (ESI funds) Phase 1 – Multi DG (DG AGRI, DG EMPL, DG MARE, DG REGIO)

In order to improve coordination and harmonised implementation of the Funds providing support under Cohesion Policy (ERDF, ESF and CF), with the Funds for Rural Development (EAFRD) and for the Maritime and Fisheries Sector (EMFF), a common provisions regulation (CPR) was established for all these Funds together, which are referred to as the European Structural and Investment Funds (ESI Funds).

In 2014, the IAS carried out a two-phase gap analysis of the 2014-2020 Regulation for ESI Funds. Phase 1 consisted of a high-level analysis of the adopted legislation covering the four DGs (DG AGRI, DG EMPL, DG MARE, and DG REGIO) and the five ESI Funds. The analysis mainly focused on the underlying content of the adopted legislation and the extent to which this reflects the Commission's original proposals/objective to have an appropriate balance between reducing the administrative burden, but at the same time maintaining the necessary level of control to exercise its supervisory responsibilities for the execution of the budget under shared management. The findings relating specifically to DG AGRI were communicated separately - see section 4.2.1 of this report.

Phase 2 consisted of a more in depth examination of the design and preparations being made by the specific Directorates-General (DGs) concerned (see section 4.3.2).

The main objective of the Phase 1 review was to highlight, for the most important areas, the additional risks faced by the Commission as a result of the co-legislative process for the CPR. The CPR brings together under one heading a number of key improvements aimed at harmonising and simplifying the arrangements governing the Structural Funds. The IAS welcomes this approach and acknowledges the efforts made by the Commission services during the negotiation phase to protect the Commission's interests in its supervisory role, in the face of strong external political pressures.

However, when compared to the Commission's original proposals, the final adopted legislation has resulted in significant additional risks which will need to be addressed in the DGs' preparations for the design and implementation of controls in the new Programming Period. Although there is now one overarching set of rules, the legislative package as a whole is very complex. It is not always readily understandable, which could in turn lead to problems of interpretation on the part of Member States and pose a challenge for both Commission and MS bodies in terms of verification and control and ultimately increase the risk of errors. The final CPR is less strict regarding financial corrections resulting in loss of funds for MS ('net financial corrections') and thus gives fewer incentives for MS to improve the first level of controls. Furthermore, the CPR also brings in certain limitations as regards the time window for audits given the rules on the retention of documents. Finally, the introduction of the performance framework resulted in agreement on a number of exceptions and conditions to the rules, which could mean that non-performance may not actually be extensively penalised, which could in turn weaken the ultimate impact of the framework.

Given the nature of this engagement, the IAS made only general recommendations that DGs would be expected to take proper account of in their preparations going forward, but they were not requested to draw up action plans. More concrete recommendations were made as part of the Phase 2 work (see section 4.3.2).

For more details, see section 4.1 of the SWD.

4.2.2.Gap Analysis of new legislation/design of 2014-2020 Programming Period of European Structural and Investment Funds (ESI funds) Phase 2 – Multi DG (DG EMPL, DG REGIO)

Phase 2 of the gap analysis review was completed for DGs REGIO and EMPL and was on-going at year-end for DG MARE and in 2015.

The auditors recognise the ongoing efforts made by DGs EMPL and REGIO to put in place a solid basis for the new 2014-2020 Programming Period's operational programmes and management and control systems. However, the IAS has identified four very important issues common to both DGs: on the supervision of MS management and control systems, on the Operational Programme (OP) negotiation and adoption process, on results orientation and the performance framework, and on IT systems supporting the management of the Programming Period 2014-2020 processes.

To address these issues, DGs EMPL and REGIO should clarify the gaps identified in the audit strategy, to ensure sound assurance building processes for the DGs from the start. They should therefore further develop their audit strategy with respect to obtaining assurance on the reliability of the Audit Authority (AA). The annual focus of the audit strategy should be complemented with a multi-annual assurance building approach and audits planned in such a way as to optimise the use of the retention period for documents. In addition, the DGs should plan more early preventive system audits.

DGs REGIO and EMPL should carefully monitor the final phases before OP adoption, including the follow-up given to the Commission's observations. The DGs should also clarify the minimum requirements for documenting the Desk Officer's (DO) work and ensure that DOs comply with these. Both DGs should ensure that DOs actively question the plausibility of milestones/targets and document this assessment. Concerning the IT system used (WAVE), they should ensure that business processes are defined and agreed in time, ensure a stable project team, develop a reliable project planning and monitoring and improve IT development methods and defect resolution in order to ensure a stable platform.

The audited services have established action plans which the IAS considers satisfactory to mitigate the risks identified.

For more details, see section 4.2 of the SWD.

4.2.3.Audit on preparations for use of Financial Instruments in DG EMPL 2014-2020 (DG EMPL) and Audit on preparations for use of Financial Instruments in DG REGIO 2014-2020 (DG REGIO)

The role of financial instruments in helping to achieve cohesion policy objectives has grown progressively in previous programming periods. The legal framework for the 2014-2020 programming period has expanded the scope for their use and has introduced a number of changes aimed at strengthening the implementation framework. In view of these increased expectations and the associated risks, particularly as regards likely take-up rates and the efficient and effective use of the funds, the IAS carried out two audit engagements in parallel, in DG REGIO and DG EMPL, on the preparations being made for 2014-2020.

The main objective of the audits was to assess the DGs' readiness to monitor and supervise financial instruments under the new legal framework and to highlight in advance any weaknesses in their internal control systems. The audits consisted of a detailed analysis of the adequacy of the 2014-2020 legislative framework, as well as of a review of the design of the internal control system. This also included the capacity building activities internally as well as towards MS.

Overall, both DGs have made adequate preparations except for their capacity building efforts. While acknowledging that a number of measures have already been undertaken, a key element for both DGs is the financial instruments technical advisory platform (FI-TAP). However, following the late adoption of the legislative framework and the delays in the negotiation of a Financial and Administrative Framework Agreement (FAFA) between the Commission and the EIB, this has been significantly delayed. For those MS with little or no previous experience of using financial instruments, this could further delay take-up and implementation. It could also increase the risk of irregularities and that technical assistance money is not spent in an efficient and effective way. For both DG REGIO and DG EMPL, this issue was classified as "Very Important".

Both DGs need to closely monitor the work and the timing of preparations for the launch of the FI-TAP. The platform needs to be sufficiently flexible to meet all stakeholders' needs. Pending its launch, the DGs need to properly plan and schedule the drafting of supporting technical fiches and further develop training for both their geographical desk officers and their auditors.

In addition, the IAS identified several issues arising from the new legal provisions, which are open to interpretation and which can pose risks to their practical implementation (i.e. provisions on financing working capital; reporting the leverage achieved; provisions for preferential treatment of private investors as well as rules for management costs and fees). These were classified as "Very Important" in the case of DG REGIO and "Important" in DG EMPL. The latter classification reflects the fact that financial instruments are much less significant in budgetary terms for EMPL than for REGIO.

The DGs were recommended to ensure that the risks related to issues identified in the legal framework are adequately mitigated and properly reflected in guidance to REGIO/EMPL staff and MS as well as in audit and control strategies, adapted for the 2014-2020 programming period. Specifically, guidance on the eligibility of working capital, preferential treatment of private investors, use of the ex-ante assessment reports and reporting of leverage should be developed.

Both DGs have established action plans which the IAS considers satisfactory to address the recommendations.

For more details, see sections 4.3 and 4.4 of the SWD.

4.2.4.Limited Review of the calculation and the underlying methodology of DG REGIO's residual error rates for the 2013 Reporting Year (DG REGIO)

In 2014, the IAS continued to carry out limited reviews on the calculation of residual error rates. A limited review was performed in DG REGIO and DG CNECT (see section 4.4.6).

The objective was to review the calculation and underlying methodology of the Cumulative Residual Risk/Error Rate (CRR) and so contribute to the mitigation of the discharge risk by enabling DG REGIO to take appropriate actions, if any, before their disclosure in the final AAR and Synthesis report.

The review highlighted three very important findings.

The error rates reported by national Audit Authorities (AAs) vary considerably in terms of reliability and there is a risk that they are understated. DG REGIO should continue its efforts to strengthen the reliability of the AAs' work by ensuring that guidance is applied in practice and strengthening the reporting requirements for the 2014-20 programming period.

The figures reported by MS on withdrawals and recoveries are not always reliable, due in part to the limitations of the way in which they are reported to the Commission, but also because the AAs only perform limited checks on them. In addition, the system allows certain elements to be double-counted in the calculation and key advance information on withdrawals/recoveries to be taken into account before it is certain. All this combines to increase the risk of overstatement of the figures and consequent understatement of the CRR. Going forward, the DG needs to carry out more systematic checks on the MS figures and ensure that its audit work delivers the necessary coverage and addresses the risk of overstatement. DG REGIO should assess the assurance it has that pending recoveries and formal agreements are actually implemented in practice, and that MS reports on withdrawals and recoveries submitted in advance of the 31 March deadline are correct, before taking them into account. Moreover, the implementing acts for the 2014-20 programming period should improve the way in which MS report withdrawals and recoveries.

Negative CRR figures for a number of Operating Programmes (OPs) can be carried forward and incorporated in the calculation of the overall average CRR for all OPs. This has the effect of understating the overall CRR figure by some 10%. In addition, error rates related to the previous year are used to estimate the errors relating to the current year although these are not always the best available estimate, for example in cases where significant changes to the management and control systems have been made. This can have the effect of understating or overstating the CRR figures.

For the 2013 AAR, DG REGIO should analyse for each OP whether it is valid to use the error rate relating to the previous year's expenditure as a best estimate when calculating the current year’s CRR and amount at risk. For the 2014 AAR onwards, negative figures for individual OPs should not be carried forward into subsequent year's calculations.

The report has fed into the peer reviews on draft AARs prior to finalisation of the 2013 AAR. All the findings and recommendations were accepted and the DG has, to the extent possible, implemented the recommendations for its 2013 AAR. A recent follow-up showed that all remaining actions of the very important recommendations have been implemented for the 2014 AAR.

For more details, see section 4.5 of the SWD.

4.3.Research, energy and transport

(CNECT, ENER, JRC, MOVE, RTD, ERCEA, INEA, REA)

4.3.1.Gap Analysis Review of the legislation regarding Horizon 2020 – Multi DG (DG CNECT, DG ENER, DG MOVE, DG RTD)

Horizon 2020 is the Union's new funding programme that brings together all previous Union research and innovation funding. The Horizon 2020 commitment appropriations are directly managed by Commission Directorate-Generals (DGs), Executive Agencies and other implementing bodies.

The IAS is carrying out a gap analysis review of the legal framework of Horizon 2020 and the accompanying Innovation and Investment Package (IIP) in two stages. The first stage was the subject of this review and focused on the content of the adopted legislation and compares it to the initial Commission proposal. The second stage in 2015 will involve a more in depth examination of the design and preparations being made by DG RTD, other DGs and Executive Agencies.

The main objective of the first stage was to compare the adopted legislation to the Commission's proposal and to highlight, for the most important areas, the additional risks the Commission is facing as a result of the co-legislative process, taking account of the Commission's stated goal to adopt a simpler programme architecture and a single set of rules for participation, to achieve an appropriate balance between trust and controls and to reduce the administrative burden on both beneficiaries and the Commission.

The IAS welcomes the efforts made through this legislation to bring together a number of improvements aimed at harmonising and simplifying the arrangements governing the research framework programme. It also recognises the efforts made by the Commission services during the negotiation phase to protect the Commission's interest, in the face of external political pressure. When compared to the Commission's original proposal, the final legislation has resulted in a compromise text which is not too far from what the Commission originally set out to achieve. Nevertheless, the changes have resulted in a number of additional risks that will need to be addressed as part of the preparations for the design and implementation of controls going forward.

Given the nature of this engagement, the IAS made only general recommendations at this stage that DGs would be expected to take proper account of in their preparations going forward, but they were not requested to draw up action plans. More concrete recommendations may arise from the findings of the Phase 2 work in 2015.

For more details, see section 5.1 of the SWD.

4.3.2.Audit on the implementation of FP7 control systems (including Supervision of External Bodies) in DG CNECT (DG CNECT)

This engagement formed part of a series of audits on the implementation of FP7 control systems, carried out in the DGs/Agencies with the most significant budgetary envelopes in this area.

DG CNECT implements EU research policy and supports the development of the European Research Area mainly through the Research Framework Programmes (2007-2013) that is being phased out, but still a large portion of the payment appropriations will be spent against cost claims in 2016-2017. Moreover, DG CNECT supervises two Joint Undertakings (ENIAC and ARTEMIS that recently merged into a single one, i.e. ECSEL), one body established under art. 185 TFEU 10  (Ambient Assisted Learning (AAL)) and two EU Agencies (ENISA and BEREC).

There was one reservation in the 2013 DG CNECT AAR concerning the rate of the residual errors with regard to the accuracy of cost claims in FP7.

The objective of the audit was to assess the adequacy and effective application of the internal control systems concerning the processes in place for implementing the ex-post control results, anti-fraud measures, transfer of the ex-post control activity to the Common Support Center hosted by DG RTD as from 1 January 2014 and supervision of the external bodies.

While recognising that DG RTD is the lead DG in the area of fraud detection following the transfer of the ex-post control activities to the Common Support Centre, the IAS recommended that DG CNECT should take the initiative and collaborate with DG RTD to further develop the existing guidance concerning the implementation of financial and administrative penalties. DG CNECT should ensure their systematic application (as foreseen by the current FR, the CAFS and the contractual framework for FP7 and Horizon2020), at least in the established cases of fraud.

In addition, DG CNECT should collaborate with DG RTD to ensure the availability of an effective and integrated IT tool aimed at detecting double funding and plagiarism that can be used across all Commission Research Services, striking the right balance between coverage of the riskiest projects and cost of controls. DG CNECT should develop the relevant internal procedures to integrate plagiarism detection into current practices.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 5.2 of the SWD.

4.3.3.Audit on the implementation of FP7 control systems (including Supervision of External Bodies) in DG RTD (DG RTD)

DG RTD implements EU research policy and supports the development of the European Research Area mainly through the Research Framework Programmes. It also supervises other bodies implementing the research budget: two executive agencies (REA and ERCEA), four Joint Undertakings (JUs) 11 , namely, Clean Sky, FCH 12 , IMI 13 and F4E 14 , and three bodies (Public-Public Partnership) established under Article 185 of the Treaty on the Functioning of the European Union (TFEU). Although the Seventh Framework Programme covering the period 2007-2013 is being phased out, a large portion of the payments appropriations (€8 609.37 m) still remains to be used against cost claims over the next few years. In its 2013 Annual Activity Report, DG RTD made a reservation concerning the residual error rate with regard to the accuracy of cost claims in FP7.

The objective of the audit was to assess the adequacy and effective application of the internal control systems in place for DG RTD monitoring and supervising the above mentioned bodies, prevention and detection of fraud and the transition to the Common Audit Service (CAS) in the Common Support Centre, which, as from 1 January 2014, is responsible for implementing the ex-post audit strategy for the FP7 legacy managed in-house.

The IAS recommended that the DG should ensure staff's full awareness about the Commission's accountability in this area, obtaining from the JTI JUs the most complete and up-to-date information for the purpose of its own AAR, and ensuring that it has consistent information from across the different JTI JUs on the calculation of the residual error rate and materiality criteria.

Furthermore, DG RTD should seek internal agreement related to the creation of the Common Support Centre clarifying roles, responsibilities, tasks and procedures. Given the challenges faced by the CSC, especially in obtaining from other DGs in the research family agreement on the transfer of adequate staff or posts, the IAS has brought the issue of the resource gaps to the attention of the central services by issuing a management letter on the subject.

Finally, in coordination with the other Research family Services, DG RTD should update the Research family common anti-fraud strategy, including concrete actions to improve fraud prevention and detection activities, and in particular address the risks of scientific and professional misconduct, double funding and plagiarism. The DG should further develop and implement clear guidelines on the application of financial and non-financial sanctions in both FP7 and Horizon 2020 and develop a set of KPIs to be able to measure the performance of the anti-fraud activity, and a proper monitoring and reporting tool for the potential fraud cases.

In addition, the IAS also raised a number of important issues, in particular on the supervision of article 185 bodies. The audit revealed that DG RTD did not obtain sufficient evidence that these bodies have an effective and efficient internal control system as required by the Financial Regulation. In order not to jeopardise its assurance building process, DG RTD should establish and communicate clear criteria for building up assurance to the article 185 bodies and report on the level of assurance obtained from them in its own AAR.

Issues related to the Commission's accountability for the implementation of the budget entrusted to delegated bodies, lack of harmonised reporting on the calculation and disclosure of error rates by the JTI JUs and delays in the start-up phase of the CAS may have a negative impact on the assurance-building process for the research family of DGs.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 5.3 of the SWD.

4.3.4.Audit on the implementation of FP7 control systems in ERCEA (ERCEA)

The European Research Council (ERC) was set up in 2007 to implement the IDEAS programme under the Seventh Framework Programme (FP7) for the benefit of the scientific community in Europe by financing frontier research projects. The ERC aims to provide researchers with the means to conduct their research independently, by selecting and funding investigator-driven research ideas based on initiatives from the scientific community. Another goal of the ERC is to offer career prospects to the best European researchers and also to attract top scientists. The ERC Executive Agency (ERCEA) is the dedicated structure responsible for the implementation and execution of the programme.

Although the FP7 covering the period 2007-2013 is being phased out, a large portion (around 50%) of the budgeted amount still remains to be used over the next few years, with the volume and value of payments under the IDEAS programme expected to peak between 2014 and 2016, and the last final payments to be made in 2021.

The objective of the audit was to assess whether ERCEA's FP7 control strategy was efficiently and effectively implemented and reported in its Annual Activity Report. In addition, the IAS examined whether ERCEA ensures that corrective measures are taken promptly and proportionately in order to obtain an acceptable level of error as regards the legality and regularity of transactions.

The IAS recommended that ERCEA should disclose a residual error rate based on a statistically representative sample or, if it uses an alternative assessment pattern, to refer to it as a "detected" rather than "representative" error rate.

Furthermore ERCEA should develop a comprehensive audit strategy and audit plan, including relevant KPIs, and regularly review its risk parameters to reflect the specificities of ERCEA.

The Executive Agency has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 5.4 of the SWD.

4.3.5.Audit on procurement management in DG JRC (DG JRC)

Procurement is vital to the core business of the JRC to provide EU policies with independent, evidence-based scientific and technical support throughout the whole policy cycle. Over 75% of its annual budget (excluding staff related expenditure) is implemented through a large number of procurement procedures and the signature of numerous contracts.

The objective of the audit was to assess whether the procurement process at the JRC is compliant with the procurement rules and whether the controls in place are effective. It focused on procedural aspects such as needs analysis and planning, contract preparation and execution, and ex-post control strategy.

The audit identified signs of good progress but also areas that need further attention. In this context, the JRC should take steps to identify individual procedures related to goods/services that, in aggregate, may reach the threshold during the year and therefore be subject to a wider procedure.

The IAS recommended that the JRC reviews its strategy for low value purchases following an analysis of the expenditure profile of each site accompanied by actions such as awareness-raising targeting the operational units on the criteria used for determining the choice of procurement procedure and to implement specific control measures and/or awareness raising actions to follow-up the financial issues detected during the testing phase of the audit.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 5.5 of the SWD.

4.3.6.Limited Review of the calculation and the underlying methodology of DG CNECT's residual error rate for the 2013 reporting year (DG CNECT)

The objective was to review the calculation and underlying methodology of the RER, and so contribute to help mitigate the discharge risk, enabling DG CNECT to take appropriate actions, if any, before their incorporation in the final AAR and Synthesis report.

As a result of the review, no significant risks were identified.

For more details, see section 5.6 of the SWD.

4.4.Economic and financial affairs

(COMP, ECFIN, FISMA, GROW, OLAF, TAXUD, TRADE, EASME)

4.4.1.Audit on risk management and planning processes in DG ECFIN in the New Economic Governance context (DG ECFIN)

DG ECFIN plays a central role in the design, negotiation and implementation of the policy responses of the Commission in addressing the impact of the global financial crisis involving banking systems, stock markets, and the flow of credit. Since 2008, the DG has grown significantly in terms of the number of staff, its responsibilities and the complexity of the regulatory framework within which it works. The DG has also undergone three reorganisations.

The objective of the audit was to asses if DG ECFIN has based its management, monitoring and reporting of its new responsibilities in economic governance on effective risk management and planning procedures.

Overall, the audit confirmed that, in a context of economic crisis and challenging constraints, DG ECFIN's management, monitoring and reporting of its new responsibilities in economic governance are based on effective elements of risk management and planning generally in line with the central services' guidelines.

For more details, see section 6.1 of the SWD.

4.4.2.Audit on DG MARKT's cooperation with the three Supervisory Bodies on Financial Services (DG MARKT)

Following the outbreak of the financial crisis in 2008, the stabilisation of financial markets became a priority and financial sector reform a crucial instrument to achieve it. The financial crisis highlighted the need for better regulation and supervision of the financial sector. Three European Supervisory Authorities (ESAs) – the European Banking Authority (EBA), the European Securities and Markets Authority (ESMA) and the European Insurance and Occupational Pensions Authority (EIOPA) – were established on 1 January 2011 to replace the former EU supervisory architecture.

The overall objective was to assess DG MARKT's current performance management framework to follow up on and monitor cooperation with the three ESAs on financial services and for receiving information and reporting on progress towards the achievement of the policy objectives for European financial supervision.

Overall, the audit showed that the design and implementation of DG MARKT's current performance management framework regarding the cooperation with the three ESAs is adequate, both for following up on their activities and for receiving information and reports on progress towards achievement of the policy objectives for European financial supervision.

For more details, see section 6.2 of the SWD.

4.4.3.Audit on performance measurement system in DG TAXUD Customs Activities (DG TAXUD)

The functioning of the Customs Union relies on a close cooperation between DG TAXUD and national administrations. The main instrument supporting the implementation of the customs policy was the Customs 2013 programme (until 2013), replaced by the new Customs 2020 programme from 2014 onwards. A priority for 2014 was to further progress towards e-Customs, a modern and paperless environment for customs and trade based on the Union Customs Code (UCC) adopted on 9 October 2013.

The overall objective of the audit was to assess the performance measurement framework in place for customs activities in DG TAXUD in terms of its daily operational and administrative activities as well as the delivery of its policy objectives.

While acknowledging the steps already taken, the IAS concluded that DG TAXUD should significantly improve performance measurement of Customs Committees and Groups and of DG TAXUD internal activities in the customs area.

To address these two very important issues, DG TAXUD should set up a more effective performance measurement system for Committees and Groups with clearer responsibilities, improved coordination and resource monitoring. The DG should also improve its own performance measurement system by using more effectively the Management Plan and risk management as management tools and by strengthening internal communication.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 6.3 of the SWD.

4.5.External Aid, development and enlargement

(DEVCO, ECHO, FPI, NEAR)

4.5.1.Audit on contribution agreements with UN bodies and other International Organisations (DG DEVCO)

During the preparation of the IAS's 2013-2015 Strategic Audit Plan, the risk related to contribution agreements with International Organisations (IOs) was assessed as high, based on the importance, in financial terms, of contribution agreements as a modality to deliver development aid.

The objective of the audit was to assess the efficiency and effectiveness of the processes and procedures in place in DG DEVCO to implement the development and cooperation aid actions through contribution agreements with IOs, notably in view of the requirements introduced by the new Financial Regulation (FR) related to indirect management mode where the Commission entrusts budget implementation tasks to, inter alia, IOs through indirect management delegation agreements (IMDA).

The IAS concluded that DG DEVCO has taken appropriate steps since the adoption of the new FR in order to adapt its internal control layers to its new requirements. Notably, the IAS noted that the new ex-ante (pillar) assessment methodology developed by DG DEVCO in 2013 is in line with the FR and its Rules of Application and the Commission's Internal Control Standards.

DG DEVCO's overall strategy for the management of contribution agreements with IOs, as presented in the various documents reviewed, is coherent as regards the Commission decision, the financing agreement, the action fiche and the relevant contribution agreement signed with the IO. Reporting requirements are included in the special conditions and reports are generally clear, precise and specific.

In addition, the IAS notes that DG DEVCO and DG ECHO have coordinated and implemented a clear job sharing on the planning of the new pillar assessments.

For more details, see section 7.1 of the SWD.

4.5.2.Audit on contribution agreements with international organisations (DG ECHO)

During the preparation of the IAS's 2013-2015 Strategic Audit Plan, the inherent risk in implementing contribution agreements was assessed as high based on the fact that DG ECHO does not implement humanitarian actions by itself but through its partners through the indirect management mode (joint management under the previous Financial Regulation) which may create challenges and risks for DG ECHO in the achievement of its policy objectives. Furthermore, in financial terms contribution agreements represent a large proportion (46% in 2012) of DG ECHO's total yearly commitments.

The objective of the audit was to assess the efficiency and effectiveness of the processes and procedures in place in DG ECHO to implement humanitarian aid actions administered through contribution agreements with IOs.

The IAS notes the efforts made by DG ECHO (together with DG DEVCO) in enhancing the earlier pillar assessment methodology and in developing its intervention strategies. In recent years, DG ECHO has considerably improved the planning and decision-making processes of its projects and has streamlined its financing decision-making processes, which has enabled both DG ECHO and its partners to better plan their projects. Whilst acknowledging the steps already taken, the IAS concludes that DG ECHO should (i) improve its overall monitoring and reporting framework to address the non-achievement of objectives for certain projects, (ii) maintain and further build on the progress it has made to date to better demonstrate that it is getting value for money from its funding of International Organisations, and (iii) ensure the cost-effectiveness of its verification strategy.

The IAS recommended that DG ECHO should further develop its monitoring framework in view of the move towards a new performance-based culture and greater focus on value for money in the Commission. The DG should also perform an analysis of the most common reasons for project failures and ensure that there is an audit trail of the reasons to accept the final payment of projects; DG ECHO should also re-assess its reporting needs in conjunction with those of field monitoring visits. Finally, DG ECHO should consolidate its verification strategy to include objectives and targets and address the cost benefit of controls.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 7.2 of the SWD.

4.5.3.Audit on the assurance building process in EU Delegations (DG DEVCO)

During the preparation of the IAS's 2013-2015 Strategic Audit Plan, the risk related to the assurance building process in European Union Delegations (EUDs) was assessed as high, based on DG DEVCO's global reservation issued in its 2012 and 2013 Annual Activity Reports on all its activities due to the significant occurrence of legality and regularity errors (i.e. error rates of 3.63% in 2012 and 3.35% in 2013), which was in line with the findings and the most likely error rates identified by the Court of Auditors during the 2011 and 2012 Declaration of Assurance exercises.

The risk assessment was also based on the 2012 IAS audit on the AAR process in DG DEVCO, which concluded that the reporting chain (known as the "control pyramid system") from the Heads of Delegation to the Directors (Sub-delegated Authorising Officers) in DG DEVCO and from the Directors to DG DEVCO's Director-General (Authorising Officer by Delegation - AOD) should be reinforced and that the effectiveness of the External Assistance Management Report (EAMR) as an accountability (assurance) and management tool between Delegations and Headquarters should be improved.

The objective of the audit was to assess the adequacy and effective application of the internal control system, risk management and governance processes related to the assurance building process within EU Delegations.

Given the environment in which DG DEVCO operates, it is important that the management control systems operate effectively to mitigate the financial and reputational risk to the EU budget and increase the chance of achieving value for money for the taxpayer. The provision of a statement of assurance by Heads of Delegations is an effective means of providing assurance on the functioning of the internal control environment which the IAS welcomes. The IAS concluded that the EAMR process was well structured and organised within the EUDs under the responsibility of the Head of Delegation who signs off his/her statement of assurance as required by the Financial Regulation. The IAS however noted that this process could be further improved by providing clear guidance to EUDs on (i) elements/events that should or could trigger a reservation by EUDs, and (ii) the potential consequences of a reservation. The IAS identified one very important issue related to the lack of clear guidance on where and how a reservation should be expressed by the Heads of Delegation in the Statement of Assurance.

In order to mitigate this risk, DG DEVCO should improve its guidance on (i) the definition of a reservation, including the potential financial or reputational impact at the level of the EUD, and (ii) the consequences of a reservation (i.e. main actions defined, implemented or planned to be implemented in order to remedy the situation/weakness that triggered the reservation).

One important recommendation should also be highlighted: The EAMR is the main accountability tool used by EU Delegations to provide assurance on the management of funds sub-delegated to them. It consists of a set of Key Performance Indicators (KPIs) on sound financial management and the efficiency of internal controls and audit systems. The IAS recommended that DG DEVCO should improve the design of the EAMR by providing further guidance on the design, use and relevance of the KPIs that structure the report to ensure that they provide sufficient information to the assurance-building process.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 7.3 of the SWD.

4.5.4.Audit on budget support in DG DEVCO 

Budget Support (BS) is an aid modality, financed both by the EU Budget and by the European Development Fund (EDF), and represented 24% of the DG's total payments in 2014. A feature of BS is that the use of the money contributed cannot be traced, as the funds are transferred to the recipient country's national treasury. The Commission's responsibilities when accounting for and auditing these resources are therefore limited to ensuring that the conditions for disbursement have been met and that the funds have been transferred in accordance with the agreement signed with the country.

At the end of 2013, there were 256 BS operations implemented or under preparation in 84 countries. Africa and European Neighbourhood Partnership countries are by far the largest recipients of budget support funds (44% and 31% of total ongoing commitments in 2013 respectively).

The use of certain aspects of budget support by the Commission has been challenged over the years by the European Parliament's Committees on Development (DEVE) and on Budgetary Control (CONT), as well as by MS. In addition, in its Special Report 11/2010, the European Court of Auditors (ECA) identified weaknesses in the Commission's management of budget support.

The objective of the audit was to assess DG DEVCO's approach to budget support and, in particular, whether DG DEVCO's processes to manage its budget support operations were efficient and effective.

The audit concluded that the Budget Support Guidelines (issued September 2012), together with a strengthened risk management framework, provide a good basis for informing decision-making. The IAS welcomes the upcoming review of the Budget Support Guidelines which comes in time to orient the implementation of the new Multiannual Indicative Programmes and is intended to respond to specific areas of concern raised by the services during the first two years of their implementation. However, the IAS identified one very important issue on policy dialogue in the context of budget support.

To address this issue, DG DEVCO should improve the current guidance on policy dialogue. DG DEVCO should also include policy dialogue elements for a certain sector/subsector in the Financing Agreement (or in another document agreed with the national authorities) to better anticipate the main orientations of the policy dialogue and ultimately contribute to achieving the targeted results for the specific indicators defined in the Technical and Administrative Provisions (TAPs).

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 7.4 of the SWD.

4.5.5.Audit on the control strategy in FPI (FPI)

The Service for Foreign Policy Instruments (FPI) manages an important part of the foreign policy budget. It is responsible, inter alia, for the operational and financial management of the Common Foreign and Security Policy (CFSP) operations and of the crisis component of the Instrument for Stability (IfS).

The complexity of the decision-making process, the geographical dispersion of the actors involved (CSDP - Common Security and Defence Policy missions and EUSRs - EU Special Representatives), the operating environment of CSDP missions which are created from scratch without prior assurance that they fulfil the requirements of the "pillar assessment", and the often high level of corruption in the countries of operations create an inherently highly risky environment for the implementation of the budget, for which FPI is solely responsible. These high risks, if insufficiently mitigated, may impact the assurance obtained by FPI from these entities.

The objective of the audit was to assess the adequacy and effectiveness of FPI's control strategy over CFSP and IfS operations implemented by EUSRs/CSDP missions and EU Delegations respectively and in particular (i) the design and effective implementation of the control strategy put in place by FPI to underpin the assurance building process related to CFSP and IfS, (ii) the anti-fraud strategy put in place by FPI, and (iii) the calculation and disclosure of the residual error rate in FPI's 2013 AAR.

The IAS took note of the environment in which FPI operates which constitutes a challenge in terms of coordination and renders the decision-making process more complex. However, the IAS concluded that, in providing assurance on the use of resources and, given the increasingly important budget devoted to its activities, FPI should ensure that an anti-fraud strategy is developed for CSDP missions/EUSRs, its internal control system is strengthened and effectively applied, and complies with DG BUDG's instructions when calculating its error rate.

To address these issues, FPI should develop and implement a strategy for fraud prevention and detection in CSDP missions/EUSRs and ensure that staff implementing CFSP budget are regularly trained on anti-fraud issues and ethics. Effective and centralised guidance to missions should also be provided and FPI should re-assess its control strategy by improving its effectiveness during the implementation phase to minimise the amount of ineligible expenditure identified by ex-post controls and also review its audit strategy for mandates. Finally, FPI should apply, in line with DG BUDG's AAR standing instructions, a multi-annual approach for the calculation of the error rate for activities that are multi-annual in nature based on payments actually audited, and take steps to implement an alternative assessment pattern to complement the current methodology for the provision of the assurance.

One recommendation rated 'very important' and addressed to FPI was only partially accepted. The IAS recommended that FPI better document the decision-making process for recoveries. FPI considered that they had taken several initiatives to improve this: however, the IAS' audit revealed that weaknesses remained despite these initiatives.

The DG has established an action plan which the IAS considers satisfactory to address the accepted recommendations.

For more details, see section 7.5 of the SWD.

4.6.IT audits

4.6.1.Joint IAS/AGRI IAC audit on the management of local IT in DG AGRI

DG AGRI's core business depends heavily on IT systems. They mainly support agricultural markets, direct aids and rural development, and financial and audit management related activities. IT activities and resources are managed locally, mainly in the IT Unit

The overall objective of the audit was to assess the internal control system put in place by DG AGRI to ensure an adequate and effective management of its local IT activities.

Overall, the IAS noted that DG AGRI's local IT effectively fulfils its mandate to support the implementation of DG AGRI's activities by providing IT solutions aligned with the business needs and priorities. However, the IAS addressed to DG AGRI two very important issues on IT governance and IT strategy.

The DG still needs to further enhance the IT governance framework by clarifying the roles and responsibilities of the different bodies/actors. In particular, the DG should strengthen the steering role of the IT Steering Committee (ITSC) and of the information systems/project steering committees as well as the participation of the business side in the decision making process.

DG AGRI should also establish a comprehensive IT strategy outlining the long-term direction of the DG's investments in IT and their alignment with the business objectives. If not adequately addressed, these issues may lead to ineffective/inefficient decision making as regards IT activities and to weak alignment of IT with the DG's and corporate business objectives.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 8.1 of the SWD.

4.6.2.Audit on IT governance in DG BUDG

DG BUDG relies heavily on IT systems for the execution of its tasks. The Director-General is System Owner of the Central Financial Information Systems, including ABAC (for the registration of budgetary execution and accounting), Badgebud (for budgetary preparation) and RAD (for the follow-up to the annual discharge), mostly developed and maintained by DG BUDG.

The overall objective of this audit was to assess whether IT governance in DG BUDG ensures optimal alignment between business and IT, sound management of resources and effective IT solutions. The audit focused on DG BUDG's current framework to govern and oversee its IT activities. In particular it looked at the design and implementation of processes and organisational structures in place to ensure that IT adequately supports the DG's strategies and objectives.

Overall DG BUDG's IT function delivers effective IT solutions in terms of availability of financial systems, reliability of accounts and compliance with legal obligations. However, the IAS identified very important issues in the following areas: IT governance, IT organisation and priority setting and planning of IT activities.

DG BUDG should enhance the current IT governance set-up by revising the configuration, composition and mandate of the governing bodies and ensuring their effective functioning. IT Steering Committee (ITSC) meetings should be held more frequently and the roles of System Owner, Business Owner and Data Owner should be clarified for the various information systems.

DG BUDG should also streamline its IT organisation by reorganising the IT capacity into homogeneous areas and consolidate IT-related tasks based on an inventory of IT-related activities currently performed in the DG and of the available competencies. In particular, the DG should separate IT supply- and IT demand-related tasks and regulate the relationship between these two components.

Priority setting and planning should be set up in a more achievable way and with a clearer allocation of responsibilities in order to deliver as planned, on time and within budget. When planning its IT activities, DG BUDG should therefore take into consideration available resources and constraints to avoid unrealistic expectations and likely failures/delays. The DG should also ensure that business requests are communicated to the IT function in a timely manner, to enable it to plan its activities more accurately.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 8.2 of the SWD.

4.6.3.Audit on the management of logical access to systems (ECAS/LDAP/windows) in DG DIGIT

ECAS is the primary authentication system used in the European Commission. It is a single repository of the credentials (login, password) which serves around 1.3 million users (internal and external) accessing corporate and local IT systems that support administrative, financial and policy-related activities. ECAS has been developed internally by DG DIGIT and is hosted in the Data Centre. In 2013, DG DIGIT launched a major project (called EXODUS) to update the ECAS IT infrastructure and enhance ECAS security, which is currently underway.

The overall objective of the audit was to assess whether the control system put in place by DG DIGIT ensures that the ECAS authentication service adequately supports the needs for a secure access to the Commission’s information systems.

The audit demonstrated that ECAS has a good track record of performance without any major complaints from users over the past years and has been used by a growing number of corporate and local applications. It has also evolved to provide some additional features and better respond to security challenges. Nevertheless, DG DIGIT needs to further enhance ECAS services governance and security management to offer more effective and secure authentication services for the community of users.

The IAS identified very important issues in the following areas: vision and strategy for Identity and Access Management (IAM); security requirements for ECAS; requirements management and planning of the Exodus project; and ECAS dependency on Windows Active Directive (AD), the Commission Enterprise Directory (CED) and the Central User Directory (CUD).

To address these issues, DG DIGIT should update the vision for IAM and ensure that it is adequately translated into a long-term strategy and yearly plans with clear objectives and deliverables.

Furthermore, DG DIGIT should ensure that the security requirements are defined involving all stakeholders and are properly documented in a security plan. It should also define a clear roadmap (with resources, deadlines and deliverables) in the context of the Exodus project.

Finally, DG DIGIT should identify and assess unnecessary dependencies from other components and implement appropriate security measures to reduce the likelihood of security breaches and interruption of service.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 8.3 of the SWD.

4.6.4.Audit on the management of IT projects in DG EAC (E4ALink and EVE)

Currently, DG EAC is managing several IT development projects aiming at delivering IT applications to support the management of the future generation of programmes (2014-2020). In particular DG EAC is paying special attention to the activities related to the Erasmus+ programme, with a total budget for the period 2014-2020 of around €19 billion.

The IT systems under development will be used by DG EAC's operational units as well as National Agencies, Executive Agencies and grant beneficiaries. The adequate management of IT projects is a key success factor to ensure that IT systems meet the users' expectations and are delivered on time and within the budget allocated.

In this context, the objective of the audit was to assess the adequacy of the IT project management in DG EAC in terms of respect of the deadlines fixed to release the systems into production, respect of the budget allocated to the projects and quality of the deliverables.

Overall, the IAS noted that the DG has worked on improving the management of its IT projects, moving toward a coherent and structured approach and implementing a project management framework that encompasses governance and organisational structures, processes, activities and documentation. However, the IAS identified areas for improvement in relation to the management of the portfolio of projects, the project management methodology and the information system logical security.

To address these issues DG EAC should strengthen the project management control mechanisms in place (by aligning process, artefacts and workflows of current and future projects to the reference framework PM2) and should implement a formal structure for the programme and portfolio management.

DG EAC should also define and implement security plans based on the results of the business impact and risk assessments and the resulting criticality of the IT systems. Both business side and security specialists should be involved in these exercises.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 8.4 of the SWD.

4.6.5.Joint IAS/IAC audit on the management of local IT in DG MARE

The activities of DG MARE rely heavily on IT systems to achieve the strategic objectives of both the Fisheries (CFP) and the Maritime (CMP) policies. DG MARE's information systems support the Integrated Fisheries Data Management (IFDM) programme, provide information about the Atlas of the seas (MarAtlas) and enable public administrations to exchange cross-sector data in the maritime field (CISE project). The overall objective of the audit was to assess the internal control system put in place by DG MARE to ensure an adequate and effective management of its local IT activities.

Overall, DG MAREis fully aware of the importance of IT to help achieve business objective and devotes great attention to it (e.g. via monthly IT Steering Committee meetings). IT solutions are delivered to support DG's policies despite the inherent complexity of the environment in which it operates and resource constraints. However, the IAS identified very important issues on IT strategy and governance, on IT operations and on IT project management.

To address these issues, DG MARE should define and endorse a formal IT strategy covering, for the long term, all the IT-related activities supporting the business goals. Furthermore, an exercise should be formalised to identify, assess and prioritise the IT-related needs for all the policies under DG MARE's responsibilities and to allocate the available resources to them.

The DG should also enhance the current governance set-up by reviewing the functioning of the existing governing bodies (ITSC, Thematic groups) and establishing specific steering committees for programmes and projects to oversee their operational aspects. Roles, responsibilities and reporting modalities should be clearly defined and implemented for all the governing bodies.

In the area of IT operations, DG MARE should improve its change management framework and procedures in order to wholly cover, assess and prioritise the requests for change in all the IT domains.

DG MARE should also enhance its portfolio and programme management by defining an adequate framework encompassing organisation, roles and responsibilities, processes and tools both from the IT and business sides. In terms of project management, DG MARE should improve the support given to the business and project managers, design and implement a quality management process and improve the service management function.

The DG has established an action plan which the IAS considers satisfactory to address the recommendations.

For more details, see section 8.5 of the SWD.

5.Consultation with the Commission's Financial Irregularities Panel

No systemic problems were reported in 2014 by the Financial Irregularities Panel under Article 73(6) 15 of the Financial Regulation applicable to the general budget of the European Communities.

6.Conclusions

The implementation of action plans drawn up in response to IAS audits this year and in the past contributes to the steady improvement of the Commission’s internal control framework.

The IAS will conduct follow-up audits on the execution of action plans that will be examined by the Audit Progress Committee, which will inform the College as appropriate.

The IAS will continue to focus on financial, compliance and IT audits and will step up its activities in performance auditing.

7.List of acronyms

(1) The audit reports finalised by 1 February 2015 are included in this report.

(2) The report does not cover the decentralised European Agencies, the European External Action Service, or other bodies audited by the IAS, which receive separate annual reports.

(3) Required by Performance Standard 2060 of the International Standards for the Professional Practice of Internal Auditing (Standards) promulgated by the Institute of Internal Auditors (IIA).

(4)  Article 100 of the FR.

(5)  The Audit Progress Committee assists the College of Commissioners by ensuring that the work of the IAS, Internal Audit Capabilities (IACs) and of the ECA is properly taken into account by the Commission services and receives appropriate follow-up

(6)  The SWD provides an overview of all completed audit and follow-up audit engagements.

(7) For more details, see section 1.2 (footnote 9) of the SWD.

(8) For more details, see section 1.2 (footnote 8) of the SWD.

(9)  This section presents a brief summary of all audit engagements which resulted in recommendations rated 'very important'. Furthermore, it summarises those reports which covered important topics. A summary of all engagements is provided in the SWD.

(10) Public-Public Partnership.

(11)  The JUs consist of three Joint Technology Initiatives (JTIs), namely, Clean Sky, FCH and IMI and the JU for ITER (F4E).

(12)  Fuel Cells and Hydrogen Joint Undertaking.

(13)  Innovative Medicines Initiative Joint Undertaking.

(14)  Fusion for Energy.

(15)  Art. 117, Rules of Application (RAP) stipulates: "That annual report [i.e. 99(3) report] shall also mention any systemic problems detected by the specialised panel set up pursuant to Article 73(6) of the Financial Regulation .